-
Notifications
You must be signed in to change notification settings - Fork 133
58 lines (51 loc) · 1.48 KB
/
image.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
name: Create OCI image
on:
pull_request:
branches:
- main
paths-ignore:
- 'docs/**'
push:
branches:
- main
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
publish-image:
strategy:
fail-fast: false
matrix:
image: [image, nativelink-worker-init, nativelink-worker-lre-cc]
name: Publish ${{ matrix.image }}
runs-on: ubuntu-24.04
permissions:
packages: write
id-token: write
security-events: write
timeout-minutes: 30
steps:
- name: Checkout
uses: >- # v4.2.2
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Prepare Worker
uses: ./.github/actions/prepare-nix
- name: Test image
run: |
nix run .#local-image-test ${{ matrix.image }}
- name: Upload image
run: |
nix run .#publish-ghcr ${{ matrix.image }}
env:
GHCR_REGISTRY: ghcr.io/${{ github.repository_owner }}
GHCR_USERNAME: ${{ github.actor }}
GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
if: github.ref == 'refs/heads/main'
- name: Upload trivy scan results to GitHub Security tab
uses: >- # v2.16.3
github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5
with:
sarif_file: 'trivy-results.sarif'
if: github.ref == 'refs/heads/main'